"To pull off the attacks, the researchers started with normal touchscreen and embedded a chip in it that manipulates the communication bus, which transfers data from device hardware to the software drivers included with the OS. This technique simulates a "chip-in-the-middle" attack"

Hm, seeing as how that actually put a chip in the middle, I'm going to say this is most definitely a real chip-in-the-middle attack, not a simulated one...

This is a pretty interesting proof of concept, but there's another angle to consider: where exactly are they going to hide the hardware? It's not like smartphones have a ton of extra room internally now-a-days.

Only thing I can think of is physically burning a private key in each component (like the touchscreen controller), just like what is done with TPMs and have the OS/driver stack validate every communication with the device using the corresponding public key.

Only thing I can think of is physically burning a private key in each component (like the touchscreen controller), just like what is done with TPMs and have the OS/driver stack validate every communication with the device using the corresponding public key.

The solution is exactly what some PC manufactures have been doing for years... cough *Lenovo* verified component white lists. And what you state above, but doing these things increase the costs of components as they will be 100% controlled with no 3rd party substitute... so... you have a repair-ability vs cost argument I would think...

This is a pretty interesting proof of concept, but there's another angle to consider: where exactly are they going to hide the hardware? It's not like smartphones have a ton of extra room internally now-a-days.

-mhac³

I think that when the researchers warn that it can be mass produced, it implies that it wont be this huge proof of concept chip but rather some tiny miniaturised one.

Still, it's true that even with something smaller space is not something abundant in modern smartphones.

Vendors will likely suggest that you only have your devices repaired at authorized locations, etc. But even then there's no guarantee that the authorized repair shop didn't buy a batch of cheap knockoff parts to save a little money.

This sort of reminds me of last year's issues with replaced home buttons on iPhones. There was apparently a security check in the phone to ensure the Touch ID sensor wasn't tampered with, and knockoff replacement parts would fail that check.

I have a hard time believing the 1 in 5 cracked screen number. Number of people I see with what I consider unusable shattered screens may be enough to reach that threshold. Add in the less intensive cracks and I would have believed them if the report had said 50%.

Only thing I can think of is physically burning a private key in each component (like the touchscreen controller), just like what is done with TPMs and have the OS/driver stack validate every communication with the device using the corresponding public key.

While it increases costs, for the average consumer the practical result will be to restrict repairs to trusted sources - easier with iOS devices that can go to a local Apple Store vs. Android devices that don't have readily available OEM repair locations. Even if a third party repair shop is trustworthy, you have to hope that their supplier was also trustworthy.

This is a pretty interesting proof of concept, but there's another angle to consider: where exactly are they going to hide the hardware? It's not like smartphones have a ton of extra room internally now-a-days.

-mhac³

These demonstrations were just to prove basic viability. They used off the shelf microcontrollers and some pretty large wires.

Scaling the size down further wouldn't be super difficult. You'll notice the chips used have plenty of unused slots for instance. Space is tight, to be sure, but there is some space and that's all that's needed for someone with enough time and lack of morals.

Honestly, this is where right to repair laws may come in. You're gonna see arguments from Apple, etc. that this is exactly what they are trying to prevent.

And you're going to see arguments from ifixit, etc. saying that if there was an open and transparent process for certification, and purchase of tools and parts this could also be prevented. Someone certified to complying with the law is less likely to be a bad actor.

One thing is certain, this just made everything more complicated (as if it weren't complicated enough already).

This is an argument against phones that are modular and/or easy to take apart and service. It's discouraging to see good arguments for making it hard to fix or upgrade hardware, but that's where we are now.

Only thing I can think of is physically burning a private key in each component (like the touchscreen controller), just like what is done with TPMs and have the OS/driver stack validate every communication with the device using the corresponding public key.

The solution is exactly what some PC manufactures have been doing for years... cough *Lenovo* verified component white lists. And what you state above, but doing these things increase the costs of components as they will be 100% controlled with no 3rd party substitute... so... you have a repair-ability vs cost argument I would think...

... and as long as Lenovo (and IBM before that) has been whitelisting only approved pci cards, thinkpad fans have been changing the pci-id firmware of unsupported wifi cards (et al) to make them compatible. Not difficult to work around.

Apparently part of what makes the iphone screen so difficult to repair is the touch-ID sensor must be paired to the secure enclave. I paid ~120 $ last year to have a cracked screen replaced by apple. It seems like a reasonable price (consider the display is undoubtedly the most expensive component) so IDK why people that have no problem affording a $700+ phone try to cheap out on repairs and accessories (like charging cables). But I could have saved $30 by going to one of those little kiosks in the mall... speaking generally here, I understand the device in the article is not an iphone.

I have a hard time believing the 1 in 5 cracked screen number. Number of people I see with what I consider unusable shattered screens may be enough to reach that threshold. Add in the less intensive cracks and I would have believed them if the report had said 50%.

Only thing I can think of is physically burning a private key in each component (like the touchscreen controller), just like what is done with TPMs and have the OS/driver stack validate every communication with the device using the corresponding public key.

While it increases costs, for the average consumer the practical result will be to restrict repairs to trusted sources - easier with iOS devices that can go to a local Apple Store vs. Android devices that don't have readily available OEM repair locations. Even if a third party repair shop is trustworthy, you have to hope that their supplier was also trustworthy.

Nearest Apple store to me is 215 miles. So, I'm in the habit of going to the local iRepair for screen replacement.

The issue now is how they source their replacement parts. I'm not concerned with the guys running the place...I know them personally. But they do take price into account when sourcing replacement parts. I've forwarded this article on to them and hope that they will look closer at their suppliers to ensure they're as trustable as possible.

But at what point does a state actor (US/China/Russia) start using this in bulk? It's already an issue regarding IP cameras.

This is a pretty interesting proof of concept, but there's another angle to consider: where exactly are they going to hide the hardware? It's not like smartphones have a ton of extra room internally now-a-days.

I think that when the researchers warn that it can be mass produced, it implies that it wont be this huge proof of concept chip but rather some tiny miniaturised one.

Still, it's true that even with something smaller space is not something abundant in modern smartphones.

Right, that's what I was going for. Even with a good play at miniaturizing the product, they still have to find a place to put it. It will also have to be customized for a specific make/model of phone. Really the only answer is to have it designed into the replacement screen. Anything else is going to require it to be large enough that human hands can manipulate and install it. One of the low hanging fruits for circuit miniaturization is shrinking and removing connection infrastructure. If a bunch of solder pads and ribbon cables are involved, it's going to be more difficult to apply.

I envision this more as spook gear (with nation-state resources) than organized crime.

Only thing I can think of is physically burning a private key in each component (like the touchscreen controller), just like what is done with TPMs and have the OS/driver stack validate every communication with the device using the corresponding public key.

Even that has problems. The overhead of securing every communication pathway would probably be too large. On top of that you've got the usual bugs that once found will persist for years making the whole expense and exercise essentially pointless. Finally, even if it is designed properly one key leak and the whole thing falls over just like HDMI/HDCP.

It goes back to the fundamental rule: if they have physical access you lose.

Vendors will likely suggest that you only have your devices repaired at authorized locations, etc. But even then there's no guarantee that the authorized repair shop didn't buy a batch of cheap knockoff parts to save a little money.

This sort of reminds me of last year's issues with replaced home buttons on iPhones. There was apparently a security check in the phone to ensure the Touch ID sensor wasn't tampered with, and knockoff replacement parts would fail that check.

Sort of, but no. It wasn't just knockoff replacement parts that would have that Touch ID issue.

Even if, for instance, a repair shop had taken a working Touch ID sensor out of another iPhone and put into yours for repair, or if they had somehow used a supplier that had access to Apple parts, this issue would have happened.

The problem was, after the replacement was done the third party repair service did not have access to the tools and knowledge needed to properly pair the touch id sensor with the secure enclave and the rest of the hardware. Notice that in the final solution, the phone was updated to work again, but the Touch ID features remained disabled. Without the pairing, security couldn't be guaranteed.

This is, of course, getting into right to repair laws and larger complicated arguments of whether or not Apple is right to hold back such knowledge. (There are theoretically good arguments for and against for this scenario)

If your phone is ever out of your possession in airport security for any length of time, one might assume that there has been an image made of the memory as well as a replacement screen installed (does this boid warranty?)

I'm not sure how one designs around this. I'm sure Apple would happily sell you screens that provide encryption to the rest of the phone (because only then can they provide functional replacement parts). The problem is, you now have both halves of the encryption on the device. Like having the DVD decryption key in software, someone is going to find it.

I guess one could envision an authorized repair agent providing a unique identifier for a phone to Apple and having them return a device-specific code that's burned into the chip at the time of installation. So long as only Apple's authorized repair centers have access to this network and have to demonstrate that they're using only Apple's hardware then I suppose it could be made to work.

Only thing I can think of is physically burning a private key in each component (like the touchscreen controller), just like what is done with TPMs and have the OS/driver stack validate every communication with the device using the corresponding public key.

Even that has problems. The overhead of securing every communication pathway would probably be too large. On top of that you've got the usual bugs that once found will persist for years making the whole expense and exercise essentially pointless. Finally, even if it is designed properly one key leak and the whole thing falls over just like HDMI/HDCP.

It goes back to the fundamental rule: if they have physical access you lose.

Ah, but in this case the bad actor doesn't need physical access. He can have many proxies around the world do it for him. If you're a bad actor you can afford to lose money on making Galaxy replacement screens. You can corner the market and sell them under 50 different brands. And every otherwise reputable repair shop in the world that's replacing screens is actually doing your dirty work for you.

If your phone is ever out of your possession in airport security for any length of time, one might assume that there has been an image made of the memory as well as a replacement screen installed (does this boid warranty?)

I find the probability of this to be essentially inconsequential. The logistics just do not shake out for places like a border checkpoint or airport. This attack works at an industrial scale, not a localized one. Properly set up phones are actually very hard to compromise on security without a lot of time or resources.

I remember a few years back when I shattered the screen of a Nexus just past end of warranty date. Called Google who forwarded me to LG who gave me this lovely option: I pay for certified shipping to and from them and then for $80 they will have a technician assess the damage; any actual repairs would be extra. So yes I took it to a local place for repair. It's also the last time I bought an Android, to be frank.

This is a pretty interesting proof of concept, but there's another angle to consider: where exactly are they going to hide the hardware? It's not like smartphones have a ton of extra room internally now-a-days.

I think that when the researchers warn that it can be mass produced, it implies that it wont be this huge proof of concept chip but rather some tiny miniaturised one.

Still, it's true that even with something smaller space is not something abundant in modern smartphones.

Right, that's what I was going for. Even with a good play at miniaturizing the product, they still have to find a place to put it. It will also have to be customized for a specific make/model of phone. Really the only answer is to have it designed into the replacement screen. Anything else is going to require it to be large enough that human hands can manipulate and install it. One of the low hanging fruits for circuit miniaturization is shrinking and removing connection infrastructure. If a bunch of solder pads and ribbon cables are involved, it's going to be more difficult to apply.

I envision this more as spook gear (with nation-state resources) than organized crime.

-mhac³

A lot of these malicious actors aren’t going care if their additions gouges a component, jags a wire, or dangerously pinches a battery as long as they get what they want.

So this is a keyboard / peripheral attack vector, just on a touchscreen. What happens when someone decides to do a run of counterfeit IBM Model Ms and dump them on the market for $40 each on eBay?

This is not a new or novel attack vector. Counterfeit parts always have the possibility of having surreptitious surveillance. It's easy enough to do the same kind of data dump off a motherboard with a few replaced chips / circuits.

Even at an additional cost of a $5-10 USD for the "corrupted" part, most of the market isn't going to take that kind of hit to their profit, it's bought and sold on single digit percentage margins at each tier.

I remember a few years back when I shattered the screen of a Nexus just past end of warranty date. Called Google who forwarded me to LG who gave me this lovely option: I pay for certified shipping to and from them and then for $80 they will have a technician assess the damage; any actual repairs would be extra. So yes I took it to a local place for repair. It's also the last time I bought an Android, to be frank.

if geek squad bugged your phone then that news when it got out to the public would render them moot for any cell phone service ever again in terms of public opinion.

This is a pretty interesting proof of concept, but there's another angle to consider: where exactly are they going to hide the hardware? It's not like smartphones have a ton of extra room internally now-a-days.

-mhac³

There is plenty of room where the battery goes. Simply replace their 20% worn battery with a brand new battery 80% the size.

The NSA switched Cisco gear in transit and replaced the units with hacked firmwares years ago. It is certainly not beyond them (or Russian / Chinese intelligence agencies) to replace phones with compromised units like described here. They could be manufactured in extremely high quality, so even trained technicians couldn't tell the difference.

If independent researchers can do this now, then odds are intelligence agencies have been doing this for a while already.

The NSA switched Cisco gear in transit and replaced the units with hacked firmwares years ago. It is certainly not beyond them (or Russian / Chinese intelligence agencies) to replace phones with compromised units like described here. They could be manufactured in extremely high quality, so even trained technicians couldn't tell the difference.

If independent researchers can do this now, then odds are intelligence agencies have been doing this for a while already.

How can we ever trust a phone or tablet?

Indeed. If we're going to be paranoid over the possibility that a replacement part is full of hacker magic, we shouldn't be so sanguine that the original parts aren't.

I have a hard time believing the 1 in 5 cracked screen number. Number of people I see with what I consider unusable shattered screens may be enough to reach that threshold. Add in the less intensive cracks and I would have believed them if the report had said 50%.

Only thing I can think of is physically burning a private key in each component (like the touchscreen controller), just like what is done with TPMs and have the OS/driver stack validate every communication with the device using the corresponding public key.

While it increases costs, for the average consumer the practical result will be to restrict repairs to trusted sources - easier with iOS devices that can go to a local Apple Store vs. Android devices that don't have readily available OEM repair locations. Even if a third party repair shop is trustworthy, you have to hope that their supplier was also trustworthy.

Nearest Apple store to me is 215 miles. So, I'm in the habit of going to the local iRepair for screen replacement.

The issue now is how they source their replacement parts. I'm not concerned with the guys running the place...I know them personally. But they do take price into account when sourcing replacement parts. I've forwarded this article on to them and hope that they will look closer at their suppliers to ensure they're as trustable as possible.

But at what point does a state actor (US/China/Russia) start using this in bulk? It's already an issue regarding IP cameras.

Regarding the US and Russia, it would be difficult for them to do it in bulk, but for targeting persons of interest, I'm pretty sure it's not "does" but "did".

So this is a keyboard / peripheral attack vector, just on a touchscreen. What happens when someone decides to do a run of counterfeit IBM Model Ms and dump them on the market for $40 each on eBay?

Well, this is the case for any USB device, and has been discussed before. In theory, if you plug in a keyboard, and it decides to start being something else, the OS should prompt for, say, attaching a flash drive.

Then again, I think we've already seen vulnerabilities that allow malicious USB devices to do things surreptitiously, and there's no real reason to be confident that there aren't others out there.

Plenty of decently-well-reviewed mechanical keyboards on Amazon designed and manufactured in China...in theory, any one of them could be compromised. But what do you trust then? Clicking on the Windows onscreen keyboard with a mouse? You'd lose all will to live pretty quickly that way...

In a way, I like articles like these, because they remind me not to waste too much money fetishizing computing software. That hypothetical new six core Coffee Lake build suddenly seems less worth the price.

This is a pretty interesting proof of concept, but there's another angle to consider: where exactly are they going to hide the hardware? It's not like smartphones have a ton of extra room internally now-a-days.

There is plenty of room where the battery goes. Simply replace their 20% worn battery with a brand new battery 80% the size.